CVE Vulnerabilities

CVE-2026-33202

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Published: Mar 24, 2026 | Modified: Jun 17, 2026
CVSS 3.x
9.1
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
6.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storages DiskService#delete_prefixed passes blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage directory. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

Weakness

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Software

NameVendorStart VersionEnd Version
RailsRubyonrails*7.2.3.1 (excluding)
RailsRubyonrails8.0.0 (including)8.0.4.1 (excluding)
RailsRubyonrails8.1.0 (including)8.1.2.1 (excluding)
RailsUbuntuesm-apps/xenial*
RailsUbuntuquesting*

Potential Mitigations

References